Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1542
Views
5
Helpful
23
Replies

mac-flap; limit or tuning?

brian.kennedy
Level 1
Level 1

‎08-23-2013 06:57 AM - edited ‎03-07-2019 03:05 PM

Any know how many times w/in a time frame a mac address needs to show up on two ports before a mac-flap error is logged?  And is there a way to tune that threshold?

We're running some ap's in flex mode, and a few handheld clients are roaming between access point a little too often and we're seeing mac-flap errors from these devices.  I know that's going to be somewhat normal as devices roam from one ap to another, but we obviously don't see this on every other device as it roams, so there must be a number of instances that need to happen before the alert is triggered.

We're also looking at the client to see why they're trying to roam so much.

thanks

brian

Labels:
0 Helpful
23 Replies 23

Dmytro Skotnikov
Level 1
Level 1

‎08-27-2013 01:18 PM

Hello Brian,

I believe if the address flaps 4 times between the two ports in a 15 sec period MACFLAP_NOTIF messages will be sent for that period (15 sec.)

I don't think it's possible to tune this behavior, since this is a fundamental behavior for this situation.

-- 
Best regards,
Dmitry Skotnikov

-- Best regards, Dmitry Skotnikov
0 Helpful

An123
Level 1
Level 1

‎07-16-2025 07:54 PM

Hi @Dmytro Skotnikov, is there any official reference or documentation confirming that if a MAC address flaps 4 times between two ports within a 15-second period, a %SW_MATM-4-MACFLAP_NOTIF message will be generated for that period?"

0 Helpful

Enes Simnica
Level 4
Level 4
In response to An123

‎07-17-2025 01:06 AM

hello @An123.  Even though this was a question from 2013, it's still a relevant issue today. Cisco doesn’t publicly document the exact threshold, but from TAC cases and field experience, it usually takes 2–5 rapid MAC moves (within a few seconds) for a flap to be logged. This behavior is platform/dependent and not tunable via CLI on most IOS switches.

Cisco’s official documentation confirms that MAC flaps occur when the same MAC is seen on two different ports in quick succession  which is often normal in FlexConnect environments as clients roam.

Yet u can’t configure a flap detection threshold, but enabling PortFast on AP switchports can reduce unnecessary flaps. It’s also a good idea to check why specific clients are roaming more aggressively than others.

Let me know your switch model if you'd like a more specific recommendation. and check those 2 links G:

https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol-stp-8021d/221722-troubleshoot-mac-flaps-loop-on-cisco-cat.html

https://www.cisco.com/c/en/us/tech/index.html (this one takes u to the Cisco “Technology Support” main portal, which is essentially the central hub for all Cisco technical documentation, broken down by technology....)

 

-Enes

more Cisco?!
more Gym?!

An123
Level 1
Level 1

‎07-17-2025 06:02 AM

@Enes Simnica Thanks for your reply. In what cases does MAC flapping occur? If it's because of a loop, what are the scenarios that can cause the loop?

 

0 Helpful

Enes Simnica
Level 4
Level 4
In response to An123

‎07-17-2025 06:19 AM - edited ‎07-17-2025 06:19 AM

sure @An123 G. MAC flapping often points to a Layer 2 loop, but not always. The most common scenarios where loops (and thus MAC flaps) can occur:

  • Redundant links without STP (Spanning Tree Protocol) properly configured or disabled.
  • Misconfigured EtherChannel  links configured differently on each end.
  • Broadcast storms caused by faulty devices or loops.
  • Improper cabling, /like connecting two access ports together.

Flapping can also happen in wireless roaming (like with FlexConnect) or load balancing setups where MACs legitimately move between ports.

also check this link for some STP info G : https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-4SY/config_guide/sup6T/15_3_sy_swcg_6T/spanning_tree.pdf    it helps...

 

-Enes

more Cisco?!
more Gym?!

An123
Level 1
Level 1

‎07-18-2025 12:11 AM - edited ‎07-27-2025 09:48 AM

@Enes Simnica Thank you, sir. 

0 Helpful

Enes Simnica
Level 4
Level 4
In response to An123

‎07-18-2025 01:27 AM

@An123 ur welcome G, and great question!

MAC flapping and host flapping are related, but they're not exactly the same thing.

  • Mac flapping; happens when a switch sees the same MAC address bouncing between two different interfaces quickly. This usually means the switch keeps updating its MAC address table rapidly, which can be caused by: Layer 2 loops, roaming wireless clients, load balancing mechanisms, bad cabling or etherchannel mismatches....
  • Host flapping, on the other hand, is a broader term, it can mean either MAC flapping at Layer 2 or IP route flapping at Layer 3 (like in dynamic routing protocols or firewalls/IPS doing ARP learning). It's context-dependent. In a pure switching context, they often mean the same thing.

also, if u want, let me know the platform u're running (Catalyst 9K, 2960, etc.), and I’ll help u narrow down causes or share commands to trace flaps in the logs.....

-Enes

more Cisco?!
more Gym?!

An123
Level 1
Level 1

‎07-18-2025 04:36 AM - edited ‎07-18-2025 04:37 AM

@Enes Simnica Is this limitation of setting priority in multiples of 4096 specific to Cisco switches (due to their PVST+ implementation), or is it a standard requirement followed by other switch vendors and IEEE standards as well? I want to understand if non-Cisco switches also require the same multiples or if they allow any priority value between 0 and 65535. Why this rule?

0 Helpful

Enes Simnica
Level 4
Level 4
In response to An123

‎07-18-2025 09:43 AM

Yes @An123. The priority must be set in multiples of 4096 because of how the IEEE 802.1D standard defines the Bridge ID structure. It's not just a Cisco thing, cause most vendors follow the same rule.

The Bridge ID is made up of: 

 

  • 4 bits: Bridge Priority
  • 12 bits: Extended System ID (typically the VLAN ID)

Since only the upper 4 bits of the 16-bit priority field are used, it results in values like 0, 4096, 8192, etc., up to 61440. That’s why u can't set random values, it's by design, not a vendor limitation.

hope it helps G...

 

-Enes

 

 

more Cisco?!
more Gym?!

An123
Level 1
Level 1

‎07-20-2025 07:30 AM

@Enes Simnica 

Thank you, sir. I have the following doubts:

  1. If MAC flapping happens due to an L2 loop, what are the possible causes of the Layer 2 loop?

  2. Is there any proof or documentation that shows the bridge priority being a multiple of 4096 is followed by all switch vendors?

  3. Why must the bridge priority be a multiple of 4096?

  4. Are the bridge priority (4 bits) and VLAN ID (12 bits) stored separately in the 16-bit field, or are they added together and stored as a single value?

0 Helpful

Enes Simnica
Level 4
Level 4
In response to An123

‎07-20-2025 08:10 AM

@An123 great set of questions G. lets go..: so will answer each question one by one...

1. If MAC flapping happens due to an L2 loop, what are the possible causes of the Layer 2 loop?

Layer 2 loops G, can be caused by:

  • Redundant links without STP (Spanning Tree Protocol) enabled
  • STP misconfigurations — like BPDU filtering or guard wrongly applied

  • EtherChannel mismatches (config not consistent on both sides)

  • Accidentally connecting two access ports together (bridging VLANs unintentionally)

  • Misbehaving or faulty end devices creating bridging loops

meaning that, once a loop forms, broadcast or and multicast traffic can circulate endlessly, which causes MACs to flap between interfaces and thats why switch gets very busy and confused at the same time.....

now the second question: 2. Why must the bridge priority be a multiple of 4096? This is definded by the ieee 802.1D standard, which means that its not just a Cisco rule. Because the 16bit bridge ID field in bpdu consists of 4bits (bridge priorityy) and 12 bitsss (which is the extended system..) and since only 4 bits are used for actual priority, valid values are 2⁴ = 16 increments of 4096 (0, 4096, 8192, ..., 61440).

3. Is there any proof or documentation that shows this 4096 rule is followed by all switch vendors? Yes G most vendors follow this because it's baked into the 802.1D standard. Even if they don’t use PVST+ like Cisco, their STP implementations (RSTP, MSTP, etc.) still follow the same Bridge ID structure.

4. Are the bridge priority (4 bits) and VLAN ID (12 bits) stored separately in the 16-bit field, or added together and stored as a single value? THey are stored as a single 16bit value but composed of two logical parts, the upper 4 bits and the lower with 12 bits

hope it helps, also check these links (the first one is a very very sick video from Kevin Wallace, with a deep dive of 2 hours plus, it is just SICK):

 

EnesSimnica_0-1753024180488.png

 

 

 

 

more Cisco?!
more Gym?!
Spanning Tree Protocol (STP) Deep Dive
Spanning Tree Protocol (STP) Deep Dive
youtube.com/watch?v=XoLPGH4awKc&t=2909s
Save 25% on Kevin's CCNA (200-301) Video Training Series https://kwtrain.com/ccna-yt *********************************** This video is a replay of a live webcast covering all Spanning Tree Protocol (STP) topics on Cisco's CCNA (200-301) and CCNP Enterprise ENCOR (350-401) Exam Blueprints. Enjoy ...

An123
Level 1
Level 1

‎07-20-2025 11:19 PM - edited ‎07-27-2025 09:49 AM

Thank you, @Enes Simnica

Is there any documentation that explains these causes in detail with examples?

0 Helpful

An123
Level 1
Level 1

‎07-22-2025 11:02 PM - edited ‎07-27-2025 09:50 AM

@Enes SimnicaIs it possible that SR-IOV is creating a loop? If any document related to this, kindly share.

0 Helpful
Customers Also Viewed These Support Documents